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(For Review and Approval) 


Summary 

• In December 2016, the Departmental Audit Committee (DAC) accepted DGAEE’s 
Continuous/Tiechnically Assisted Audit: Memberships 

• DGAEE requests that the Chief, CSE approve this report to both finalize the audit and 
to enable the audit team to include the recommendations and ensuing action plan in 
the Management Action Plan Progress Report 

• DGAEE also requests approval from the Chief, CSE to publish the audit report on the 
DGAEE internal website 


Background 

The audit findings from the Continuous/T-echnically Assisted Audit: Memberships were 
presented to the DAC in December 2016. The following findings were tabled: 

• Exercise of financial authority for the remittance of memberships was carried out 
by persons with appropriate delegated financial authority and with an appropriate 
segregation of duties. 

• Individual membership fees were remitted in accordance with policy and directive 
requirements, or had documented rationale for exceptional approval from DG HR. 

• The process to obtain corporate memberships differed from the process outlined in 
CSE’s Directive on Membership, Registration and Licensing Fees (HRH-65). 

• Tracking of individual and corporate memberships was incomplete and did not 
have a reconciliation process with FAMIS. 

The management action plans provided by the relevant stakeholders were deemed 
satisfactory by the DAC. 
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At the conclusion of the presentation, the DAC recommended the audit for Chief, CSE 
approval. 


Decision/Direction 

It is recommended that the Chief, CSE approve the Continuous/Technically Assisted Audit- 
Memberships and permit the document’s publication to the DGAEE internal website. 


Next Steps 

Once approval has been received, the report will be finalized, translated, and published. In 
addition, the Management Action Plan Progress Report will be updated to reflect the audit’s 
recommendations and Management Action Plan. 





Joanne Renaud, CPA, CMA & Certified Coach 
Director General, Audit, Evaluation and Ethics 


Approved)Not Approved 



Greta Bossenmaier, Chief 
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Conformance and Assurance Statement 


Continuous / technically assisted (CTA) auditing refers to the proactive monitoring of key, risk- 
based practices and controls using technology and audit trade skills as an efficient and effective 
mechanism to support results achievement and management's active monitoring efforts. It 
presents a unique value proposition for Internal Audit as it can identify, in a timely manner and 
with minimal resources, anomalies resulting from the intelligent interrogation of databases that 
may warrant explanation or investigation. 

Performing CTA audit testing on a periodic basis provides: 

• Reasonable assurance that controls are operating as intended and that the associated 
risks are being mitigated adequately; 

• Detection of anomalies that might indicate errors or fraud; and 

• Tracking and escalation of exceptions for possible action. 

Although not as high as if resulting from a full audit, the level of assurance that results from 
this audit should be useful to management. 

To the extent considered appropriate and applicable, the Institute of Internal Auditors 
standards were applied in the conduct of this engagement. 
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For information about this report, contact the Director General, Audit, Evaluation and Ethics (DGAEE). 
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Introduction 


Parliament and Canadians expect the federal government to manage public funds with the 
highest standards of fiscal prudence, accountability and transparency. While fundamental 
governance principles apply to government expenditures at all levels, it is understood that 
specific membership-related expenditures are necessary in order for departments to effectively 
deliver services to Canadians. 

1.1 Background 

Membership expenditures at CSE were most recently examined in the 2011 Audit of 
Memberships. The audit assessed the extent to which membership fee payments were 
compliant with applicable authoritative documents, and the adequacy of the management 
control framework that administered payments. The audit produced four recommendations, all 
of which have completed management action plans. 

1.2 Audit Objective, Scope and Limitations 

As a follow-up of the effectiveness of the controls that were enhanced as a result of the 2011 
audit, DGAEE conducted the Continuous / Technically Assisted Audit: Memberships. This audit 
was performed pursuant to the CSE Audit and Evaluation Plan for FY 2016-17 to FY 2020-2l 1 
that was approved by the Chief, CSE on 7 July 2016. 

The engagement's objective was to provide reasonable assurance to management that 
individual and corporate membership expenditure were remitted for valid expenses in 
compliance with authorized policies. The scope of the audit was individual and corporate 
membership transactions for fiscal year (FY) 2015-16. 

Memberships that may have been included in the cost of a training course or conference 
registration are not examined in this audit. Such memberships offer reduced registration costs 
to attendees though employees are prohibited from accepting these offers unless the 
membership is previously approved. These memberships are out of the scope of this audit as 
examination would require analyzing all conference travel claims from FY 2015-16. 


Methodoloi 


The audit examined a sample size of 111 potential membership transactions. Analysis of the 
111 transactions found 56 were related to individual memberships, 6 were related to corporate 
memberships and 49 were out of scope. 2 The following data collection methodologies were 
employed to develop findings and conclusions. 


1 Refer to CERRID #29757242. 

2 See Annex A for additional information on determination of sample size. 
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Tests: Tests for this audit examined control processes related to the 1) administration, 2) 
remittance and 3) tracking of membership expenditures to ensure accordance with applicable 
policies and directives: 

1) Exercise of financial authority is carried out by persons with the appropriate delegated 
authority and a segregation of duties exists to reduce the possibility of erroneous or 
inappropriate action; 

2) Remitted membership fees are in accordance with policy and directive requirements; 
and 

3) Remitted membership fees are tracked and recorded with effective quality control 
measures for audit purposes. 

Document Review: Records from Labour Relations, Information Discovery (CIO-E formerly 
Library Information Services) and Finance were obtained and used as the basis of the evidence 
for this audit. The following relevant CSE and government policies and directives were 
reviewed: 

• Assistance for Spouses or Common-Law Partners (FSD 17); 3 

• Corporate Memberships and Library Information Services (LIS) Role, 

• CSEC Delegation of Authorities for Financial Administration (FIN-01-01); 

• Directive on Membership, Registration and Licensing Fees (HRH-65); 

• Financial Officer to Chief Financial Officer Career Path ; 3 

• Financial Administration Act, 

• Membership Fees Provisions of Collective Agreement, 

• Policy on Counselling and Advisory Program (HRH-81); 3 

• Policy on Psychological Assessment Services (HRH-18); 3 

• Polygraph Testing Policy (SEC-201); 3 and 

• Rescission of Membership Fees Policy. 

Interviews: Interviews and email correspondence were conducted with Labour Relations 
Advisors, Information Discovery Supervisor and Advisors, Finance Accounting Operations 
Manager, Supervisor and Staff, and Human Resources Analytics Advisors (HR). 



This section summarizes the main findings of the three tests conducted to ensure that the 
expected controls were working as expected. 


3 These documents were examined during the process of looking at rationale behind membership claims. 
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3.1 Administration Control 


Audit Test: Exercise of financial authority is carried out by persons with the appropriate 
delegated authority and a segregation of duties exists to reduce the possibility of erroneous or 
inappropriate action. 

The purpose of this test was to verify that the Financial Administration Act Section 34 
certification authority for each of the 56 individual membership transactions and 6 corporate 
memberships held the appropriate financial signing authority, and that, as per section 3.8 of 
CSE's Delegation of Authorities for Financial Administration (FIN-01-01), a segregation of duties 
existed between the certification authority and the person benefitting from the claim. 

To assess compliance with delegated authorities, electronic and/or hard copies of individual and 

corporate membership claims were examined Tab|e t _ Section 34 & sedation of Duties 
against the CSE Financial Signature Card Test 

Application to verify that the persons signing 
had the designated Section 34 authority for the 
Responsibility Centre (RC). Claims were also 
reviewed to ensure a segregation of duties. 

Individual Memberships 

Fifty-five of the 56 individual membership transactions were examined to verify appropriate 
Section 34 authority and segregation of duties. The hard copy for one claim could not be found. 
The examination found 100% compliance for the 55 claims assessed. 

Verification of Section 34 authority could be strengthened by the signing authority printing his 
or her name and including the date of signing. The printed name field was left blank on 8 out of 
55 GACs and only just over half Section 34 authorities (29 out of 55) included the signing date. 
Though the signature block does not specifically request a signing date, it assists auditing to 
verify proper signing authority was held at the date of the signing. 

Corporate Memberships 

Six corporate memberships were examined to verify appropriate Section 34 authority. The 
examination found 100% compliance for the 6 claims assessed. Segregation of duties was not 
examined for these memberships as they were corporate memberships that were not benefiting 
an individual. 

3.2 Remittance Control 


Audit test: Remitted membership fees are in accordance with policy and directive 
requirements. 


3 
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The purpose of this test was to verify that remitted fees for individual and corporate 
memberships examined were done in accordance with CSE policy and directive requirements. 

Individual Memberships 

Remitted individual memberships were examined to verify that the membership was recorded in 
the Labour Relations master list, and to confirm that the membership was either a federal 
requirement for the employee to carry out the functions of his or her position or in direct 
support of a government program, as per section 6.9.1 FIN-01-01. 4 

The audit found that 52 of the 56 individual membership transactions met the criteria of being a 
requirement of the individual to carry out duties of the position or in support of a government 
program. Three memberships that did not meet the required criteria for reimbursement were 
granted exceptional approval from DG HR. Documentation for the remaining membership could 
not be found in Labour Relations, Finance or Information Holding Services records and thus 
could not be examined for rationale of its remittance. 

The 56 membership transactions examined were held by 48 different individuals, with some 
persons holding more than one membership. Data provided by HR showed that 44 of the 48 
individuals remained for the duration of the FY in the position for which the membership was 
either a requirement for the claimant to carry out the functions of his or her position or in 
support of a government program. Of the remaining four people that had changed positions 
since claiming the membership, three individuals had been promoted within the same 
directorate into positions that also required the membership, and one individual moved to a 
new group near the end of FY 2015-16. 

Of note, some practitioners were remitted for multiple 

provincial or national professional association memberships. According to HRH-81, 
practitioner positions require registration with "a professional association," indicating that only 
one such registration is required to carry out duties of the position. While each remitted 
membership on its own met the criteria of being a requirement of the position, Labour Relations 
has confirmed that starting in FY 2017-18 only one professional association membership will be 
remitted for practitioners. 

Corporate Memberships 

Six corporate memberships for FY 2015-16 were examined to verify that the requests followed 
the process of CSE's Directive on Membership, Registration and Licensing Fees (HRH-65). This 
directive's process calls for the RC manager requesting the corporate membership to consult 
with Information Discovery (formerly Library Information Services) to ensure the membership 
was not already held at CSE. If it was not, the manager commits the funds in the Financial and 
Asset Management Information System (FAMIS) and forwards an approved Corporate 


4 See Annex B for Individual Membership Remittance Process with Internal Control Systems. 
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Membership Form to Information Discovery, who will pay the fees and charge the cost to the 
FAMIS commitment, and record the membership in a master list. 

The audit found that none of the corporate memberships followed the full process of HRH-65. 
Table 2 compares HRH-65 to Information Discovery's internal document on corporate 
membership guidelines and to the corporate membership practice of Information Discovery in 
FY 2015-16. 

Table 2 - Comparison of Procurement of Corporate Memberships 


HRH-65 - CSE Directive on Membership, 
Registration and Licensing Fees 

Information Discovery Corporate 
Membership Guidelines 

Audit Findings for FY 2015-16 Corporate 
Memberships 

Prior to approving a corporate membership, 
the RC manager should consult with 
information Discovery to ensure the 
membership has not: already been obtained. 

Information Discovery will not determine the 
merit of the membership. RC managers are 
responsible for including justification for the 
membership with the membership request for 
documentation purposes. 

Clients consulted with information Discovery 
prior to purchase for four of six memberships. 
One membership was automatically renewed 
by Information Discover/ based on past years 1 
consultation. 

One membership was procured by client: 
w ithout con so If at ion. 

RC manager submits approved Corporate 
Membership Application Form to information 
Discovery. 

Client submits a Corporate Membership 
Application Form or written request which 
includes Justification and funding commitment: 
to information Discovery. 

Clients submitted an application for three 
memberships and provided justification for 
two other memberships. 

RC manager ensures that a commitment for 

costs Is created in FAMIS. 

RC manager is required to provide the funds 
for the membership. 

information Discovery does not require 
financial coding; they provide permission for 
the RC managers to purchase. 

information Discovery will pay the fees and 
charge the costs to the appropriate RC 
manager's budget / commitment. 

Once the application form or request, has been 
received, information Discovery will procure 
access to the membership on behalf of CSE. 

RC managers paid for and procured five 
memberships. 

One membership renewal was paid for and 
procured by Information Discovery. 

inf ormation Discovery has the role of ensuring 
that a monitoring system is establi shed for all 
corporate memberships. 


Corporate memberships are recorded but not 
monitored. 

information Discovery maintains the corporate 
membership master list for each fiscal year. 

information Discovery 4 maintains the corporate 
membership master list for each fiscal year. 

information Discovery maintains the corporate 
membership master list for each fiscal year. 


Recommendation (Moderate) 

1) It is recommended that Director, Information Management (CIO-E) ensures that the 
Information Discovery's approval and procurement process for corporate memberships aligns 
with the Directive on Membership, Registration and Licensing Fees (HRH-65). 


3.3 Tracking Control 

Audit test: Remitted membership fees are tracked and recorded with effective quality control 
measures for audit purposes. 

The purpose of this test was to verify that remitted individual and corporate membership fees 
were tracked and recorded with effective quality control measures for audit purposes. 
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According to section 6.1 of HRH-65, CSE is required to record membership and registration fees 
and retain information on the total amount spent on memberships and the number of 
memberships held for each fiscal year. This reporting requirement is also outlined in section 
6.9.3 of FIN-01-01. 

Section 4.3 of HRH-65 assigns to Labour Relations the responsibility of reviewing, monitoring 
and recording individual membership fees forwarded by RC managers. Labour Relations' FY 
2015-16 membership master list identified 55 approved memberships, of which 51 of these 
were claimed and remitted. As Labour Relations does not track whether a membership was 
remitted, there was no notation in the master list of the 4 memberships listed but not claimed. 

FAMIS queries identified 5 remitted memberships that were not in Labour Relations' master list. 
This included 1 membership for which no documentation could be obtained for this audit. 5 

The total CSE expenditure validated in FAMIS for all individual memberships totalled : 
for FY 2015-16. This differed slightly from the Labour Relations master list total of 
The difference between the two amounts is due to the following: 

• Labour Relations records the amount with tax included while FAMIS transactions deduct 
tax from Canadian purchases; 

• Approximately of non-membership related costs were incorrectly coded to General 

Ledger (GL) Professional Membership Fees as part of a GAC that included 

membership fees; 

• Unless a request for approval contains a GAC with the amount paid in Canadian dollars, 
fees in US dollars are not converted into Canadian dollars in the master list; and 

• Five remitted memberships were not listed in the Labour Relations master list. 

In section 5.2 of HRH-65 the responsibility for maintaining a master list of corporate 
memberships is assigned to Information Discovery. The corporate membership master list for 
FY 2015-16 identified two memberships. An additional three corporate memberships were 
approved by Information Discovery but were not recorded in the master list. Finally, one 
membership was procured without Information Discovery consultation. 

The total amount of all corporate memberships in FAMIS was The Information 

Discovery master list recorded the cost of the two tracked memberships in the original currency 
(one membership was in US dollars). 

The audit also examined the use of financial coding to determine if memberships were coded to 
the correct GL and if sub-project codes were used for tracking purposes. Evidence 
demonstrated that the majority of individual and corporate memberships (97% or 64 out of 66) 


5 This membership claim for was identified through GL coding and purchase description in 

FAMIS. 
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were correctly coded to the Professional Membership Fees GL Given that there were 

only 68 transactions 6 in FAMIS for FY 2015-16 that were coded to GL it is the audit's 

opinion that there would be little benefit to the introduction of sub-project codes specific to 
memberships. 

Recommendation (Minor) 

2) It is recommended that Director, Information Management (CIO-E) establish a process for 
periodic reconciliation between Information Discovery's master list of corporate memberships 
and corporate membership expenditures in FAMIS. 

Recommendation (Minor) 

3) It is recommended that DG HR establish a process for periodic reconciliation between Labour 
Relation's approved master list of individual memberships and individual membership 
expenditures in FAMIS. 


Condusio 


Based on the tests performed, the audit found: 

1) Strong administrative controls and appropriate segregation of duties around the exercise 
of financial authority for individual memberships. 

2) In most cases, remittance controls for individual memberships were in accordance with 
policy and directive requirements, and the noted example of positions remitted for 
registration with multiple professional associations will be addressed by Labour Relations 
to correct for FY 2017-18. Evidence of the remittance process for corporate 
memberships found inconsistency between Information Discovery's membership 
approval and procurement process and the process outlined in HRH-65. 

3) Tracking and recording controls were stronger for individual memberships than for 
corporate memberships, the latter of which recorded only two of six memberships for FY 
2015-16 in the master list. Both master lists did not track and reconcile with FAMIS the 
total amount spent in FY 2015-16. GL codes are almost always used appropriately for 
membership claims and the small number of claims coded to the memberships GL 
indicates that there is no need for usage of sub-project codes to help monitor and track 
membership expenditures. 


6 The 68 transactions represented of CSE transactions, and of CSE's total expenditure in FY 

2015-16. 
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Audit Recommendations and Management Action Plan 


# 

Observation 

Recommendation 

Management Action Plan 

OPI 

Target Date 

Audit Ranking: 7 Moderate 

l 

The audit found that none of 
the six corporate 
memberships obtained for 

CSE followed the full process 
of the Directive on 
Membership, Registration 
and Licensing Fees (H RH - 
65). 

It is recommended that Director, 
Information Management (CIO-E) 
ensures that the Information 

Discovery's approval and procurement 
process for corporate memberships 
aligns with the Directive on 

Membership, Registration and 

Licensing Fees (HRH-65). 

Annual communique on Corporate 
memberships to CSE explaining process and 
authority for managing memberships. 

Hold meeting with CIO-E library staff to 
share results of audit and go through the 
revised corporate membership guidelines in 
alignment with HRH-65 to ensure that all staff 
are aware of procurement procedures, 
definitions and proper saving of corporate 
membership documentation. 

CIO-E 

March 2017 

Audit Ranking: Minor 

2 

The audit found that 
Information Discovery's 
master list of corporate 
memberships was 
incomplete, with only two of 
six memberships recorded. 

It is recommended that Director, 
Information Management (CIO-E) 
establish a process for periodic 
reconciliation between Information 
Discovery's master list of corporate 
memberships and corporate 
membership expenditures in FAMIS. 

Create reconciliation process and add to CIO- 
E: corporate membership guidelines. Ensure 
reconciliation between FAMIS and CIO-E list 
is done quarterly. 

CIO-E 

March 2017 

Audit Ranking: Minor 

3 

The audit found that Labour 

Relations' master list of 
individual memberships was 
incomplete, and did not 
match the memberships 
processed in FAMIS. 

It is recommended that DG HR 
establish a process for periodic 
reconciliation between Labour 

Relation's approved master list of 
individual memberships and individual 
membership expenditures in FAMIS. 

At the end of each fiscal year Finance will 
provide Labour Relations with a list of all 
membership payments processed for that fiscal 
year. 

Labour Relations will reconcile the list of 
membership payments from Finance against 
the Labour Relations membership list. 

Director HR Programs 

Director Finance 
Operations 

March 2017 


7 See Annex C for descriptions of audit recommendation rankings. 
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Annex A - Audit Sampl 


The audit sample was determined first by examination of the FY 2015-16 membership master 
lists of Labour Relations and Information Discovery. A total of 57 memberships were 
identified, with 55 individual memberships from Labour Relations' master list and 2 corporate 
memberships from Information Discovery's master list. 

CSE's FAMIS financial system was cross-referenced to verify remittance amounts and to 
identify potential membership costs that were not identified in the master lists. This search 
identified 54 additional transactions for examination, bringing the total to 111 transactions. 
The 54 additional transactions were discovered through these FAMIS queries: 

• All financial line items under GL Professional Membership Fees; 

• All financial line items with "Memb" in the description field; 

• All financial line items coded to GLs Professional Services, Training Inside 

Canada, Training Outside Canada, and Education, Tuition, Exam; 8 and 

• All financial line items with "Toast", in the description field. 9 

Table 3 shows all 111 transactions identified and whether they were determined to be in or out 
of scope for this audit. 


Table 3 - Transactions Examined 


Transactions Examined 


In 

Scope 

individual Memberships in Labour Relations Master List and FAMIS 

51 

62 

individual Memberships in "AMIS Only 

5 

Corporate Memberships in information Discovery Master List and FAMIS 

2 

Corporate Memberships in FAMIS Only 

4 

Out of 

Scope 

Individual Memberships in Labour Relations Master List Only* 

4 

49 

Financial Coding Transactions 

8 

Toast Waste rs Tr a i n i ng* * 

27 

Other Transactions Deemed Out of Scope*** 

ID 


* Itese memberships were not domed and therefore are not included in the individual membership total 
““ ToastMasters transactions often were described as memberships in their FAMIS descriptions but are financially coded 
and treated as an in-house learning activity. 

*** These items included subscriptions. Foreign Service Directive payments, and professionai fees. 


8 These GLs were searched based on results following the "Memb" FAMIS search. 

9 These phrases were searched following results from the "Memb" and GL searches. "Toast" refers to 

ToastMasters memberships and ’ items. 
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Electronic and/or hard copies of the 111 individual and corporate membership transactions 
were obtained from Finances Accounting Operations. The 56 individual and 6 corporate 
membership claims examined in this audit are listed in Table 4 and Table 5, respectively. 
Exceptional approval for and the was granted by 

DG HR. Exceptional approval was also granted for 

who were on a developmental path towards 


Table 4 - Individual Membership Transactions by Organization 


Memberships bf Organization # Requirement in Support off Exceptional 


of Position a Program Approval 




✓ 

✓ 



✓ 





yf 

yf 


■f 

s 



s 




/ 





s 



s 







* s. s m e sr off m B6AEE a-so ho : z memberships which ore pmdfm by Treasury Board Secretariat 

** indicates membership that couiti net be verified 


Table 5 - Corporate Memberships Process Comparison 





f 

/ 

Client 


✓ 

Client 



Client 



Client 


y 

Information Discovery 

/ 


Client 
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Annex B - Individual Membership Remittance Process with 

. . ... . . __ . __ 


This process chart represents a description of the individual membership remittance process 
with internal control systems, which are identified in purple boxes. 

“ A call for individual memberships goes out in the first quarter of 

l > dg hr call letter sent out i ^ fj sca | y ear f rom qg HR to the Executive Leadership Network 

(ELN), Manager Leadership Network (MLN) and Supervisor 
▼ Leadership Network (SLN) email distribution lists. 


ELN, MIN. SLN 
distri butt 


ELN, MLN and SLN distribute amongst staff. 


ytufemfeip 
.w ripot!find 


Individual membership claims are identified. 


/ Control - DS 
R*¥lfW 


Completed individual membership forms are reviewed and 
approved at the applicant's DG level. 


Nii-m btriliips 
submitted ?o m 


Approved forms are submitted to Labour Relations. 


Recorded in LR 
Master i |$i 


Labour Relations records the request in the membership master 
list. 



Briefing note to 
DG HR / DCCS 

prepared 


Labour Relations reviews to ensure the membership meets the 
requirement as necessary for an individual to carry out duties of 
position, or that the membership is in support of a government 
program. Exceptional approval may be sought at this control level 
if the membership has justification. 

a. If the membership is a requirement for the individual to 
carry out duties of the position or is in support of a 
government program, Labour Relations prepares a briefing 
note for DG HR approval. 

b. If there is a business case for the membership to be 
granted, Labour Relations prepares an exceptional approval 
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email request for DG HR or DCCS. 


3 


Centro 
DG HR 


W 


Membership requests and briefing notes are sent to DG HR for 
approval. 


H Me-mterships Following DG HR approval, membership requests are forwarded to 

\ sent to wmmm y' Finance. In cases where the membership has not already been 

paid, DG HR approval is sent to the claimant, who upon purchase 
of the membership forwards the completed GAC and confirmation 
of DG HR approval to Finance. 10 


It 


Control "• 

/ fmmm 

/ 

W 


Finance reviews membership claims to verify receipts are included 
and financial signing authorities are correct. If signing authority is 
missing, the claim is returned by internal mail to the claimant for 
proper approval. If claim is missing receipts or other information, 
Finance will contact the claimant. 


Membership 

Remitted 


If claim is has proper receipts and signing authority, payment is 
processed and the membership is remitted. 


10 The audit found that because GAC signing sometimes occurs after Labour Relations review, there are 
instances when Labour Relations cannot confirm the RC paying the claim and thus verify that the 
membership is a requirement of the individual to carry out the duties of his or her position. 
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Annex C - Description of Audit Recommendation Rankin 


• Major: A key control does not exist, is poorly designed or is not operating as intended. 
Corrective action is required as soon as possible to avoid a potentially significant 
negative impact involving loss of assets, reputation, resources (including information), or 
ability to comply with important laws, policies, or procedures. 

• Moderate: A key control does not exist, is poorly designed or is not operating as 
intended and the financial and/or reputation risk to the organization is more than 
inconsequential. However, a compensating control exists. Timely corrective action will 
avoid a sole reliance on compensating controls and avoid a potentially negative impact 
involving loss of assets, reputation, resources (including information), or ability to 
comply with important laws, policies, or procedures. 

• Minor: A weakness in the design and/or operation of a non-key control. No urgency 
diagnosed (e.g. best practices). Corrective actions usually contribute to efficiency. 

These issues may be addressed using management letters. 
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CTA Audit - Memberships 


CONFIDENTIAL 


Annex D - List of Acronyms 


CAP 

Counselling and Advisory Program 

CTA 

Continuous / Technically Assisted 

DGAEE 

Director General Audit, Evaluation and Ethics 

DG HR 

Director General, Human Resources 

FAMIS 

Financial and Asset Management Information System 

FY 

Fiscal Year 

GAC 

General Allowance Claim 

GL 

General Ledger 

HR 

Human Resources 

RC 

Responsibility Centre 
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Communications Security 
Establishment 


Centre de la securite 
des telecommunications 


P.O. Box 9703 
Terminal 
Ottawa, Canada 
K1G 3Z4 


C.P. 9703 
Terminus 
Ottawa, Canada 
K1G 3Z4 


JAN 1 9 2017 


i NCLASSfH -:n 


Oitr fih* Notre rcferrme 

CERRID # 32847528 


Dear Mr, Calkins: 

Thank you for your December 13, 2016 letter regarding the study of the Security of Canada 
Information Sharing Act (SOSA) by the Standing Committee on Access to Information, Privacy and 
Ethics, 

CSE is one of Canada’s key security and intelligence organizations, CSE’s mandate and authorities are 
defined in the National Deface Act (NDA), which requires CSE to do three things: 1) to acquire and 
use information from the global information infrastructure for the purpose of providing foreign 
intelligence, in accordance with Government of Canada intelligence priorities: 2) to provide advice, 
guidance and services to help ensure the protection of electronic information and of information 
infrastructures of importance to the Government of Canada; and 3) to provide technical and operational 
assistance to federal law enforcement and security agencies in the performance of their lawful duties. 

As you highlighted in your letter, SC1SA lists CSE as an entity that can receive information from 
another Government of Canada institution, SOSA does not supersede or expand CSE’s authorities to 
collect or receive information from our domestic partners. To date, CSE has not received or disclosed 
information under SOSA. CSE relies on authorities under the NDA and the provisions of the Privacy 
Act , as well as information sharing arrangements with our domestic security and intelligence partners, 
when shari ng in format ion. 

To ensure that information is collected in accordance with its statutory obligations, CSE lias policies 
and systems in place to allow for the validation, tracking and auditing of information received. Such 
information exchanges involve specific guidelines to ensure that the information is relevant to CSE- 
mandated activities, and provided to appropriate personnel. Disclosing institutions arc encouraged to 
contact CSE before disclosing any information in order to ensure that CSE’s mandate allows for the 
lawful collection of the information. The implemented process further leverages existing information 
sharing mechanisms to ensure that information disclosed to CSE is appropriately tracked. 

More widely, I would like to highlight that CSE has a responsibility to protect privacy, and we take 
that responsibility very seriously. Protecting Canadian privacy is a fundamental part of our 
organizational culture and is embedded within our operational structures, policies and processes. 

CSE’s strong privacy framework includes detailed operational policies, with specific retention periods, 
and regular training and testing of staff on pri vacy and compliance knowledge, as well as internal 
review and independent external review by the Office of the CSE Commissioner, These measures 
contribute to ensuring that CSE’s activities are conducted in a way that protects Canadian privacy 
interests. 


Sincerely, 

k. yi-, : 

G reta Rossen cna ter 
Chief 



Page 


A-2017-00030-00020 




















































Communications Security 
Establishment 

P.O. Box 9703 
Terminal 
Ottawa, Canada 
K1G 3Z4 

JAN 1 9 2017 

ML Calkins, 


Centre de la securite 
des telecommunications 

CP. 9703 
Terminus 
Ottawa, Canada 
K1G 3Z4 


NON CLASS!Flit 


Out file Natre r4*f$r#tu%* 

CERRID# 32847528 


Je vous remercie pour la lettre que vous nous avez transmise la 13 decern bre 2016 concernant I etude 
de la Lot sur la communication dInformation ayanf trait a la securite du Canada par le Comite 
permanent de Faeces a 1’information, de la protection des renseignements personnels et de Pethique. 

Le CSX est Pun des principmix organismes de securite et de renseignernent du Canada. Son mandat et 
ses pouvoirs sent definis clans la Lot sur la defense nut ion ale (LDN). qui eon fere au CS1 les trois roles 
suivants : 1) acquerir et utiliser Pin formation provenant de I 9 infrastructure mondiale d’information 
dans le but de foumir des renseignements Strangers, cn conformity avec les priorites du gouvemement 
du Canada (GC) en matiere de renseignernent; 2) fournir des avis, des conseils et des services pour 
aider a proteger les renseignements electroniques el les infrastructures d ? information importantes pour 
le GC; et 3) fournir une assistance technique et operatiormelle aux organismes federaux charges de 
P application de la loi et de la securite dans Pexercice des fonctions que la loi leur con fere. 

Comine vous Pavez souligne dans voire lettre, la Loi sur la communication dinformation ayanf trait d 
la securite du Canada delink le CSX comme une entity pouvant recevoir de Pinformalion dame autre 
institution du GC. La Loi sur la communication d Information ay ant trait d la securite du Canada ne 
rernplace ni rraccrok les pouvoirs du CSX en ce qui a trait a la collecte et a la reception de 
Pinformation provenant de partenaires nationaux du CSX. Jusqtfa maintenant, le CSX iva recu ni 
divulgue aucune information en vertu de la Loi sur la communication dInformation ayanf trait d la 
securite du Canada. Dans ie cadre d’echanges cf information, le CSX s'apptiie sur les pouvoirs qui! 
del ient en vertu de la LDN, sur les dispositions de la Loi sur la protection des renseignements 
personnels et sur les ententes dmehange cLinformation conclues avec ses partenaires nationaux de 
securite et de renseignernent. 

Pour s’assurer que Pinformation est recueillie conformemenl a ses obligations statutaires, le CSX met 
en place des politiques et des sysfemes visant a valider et a verifier Pinformation reque, et a en fa ire le 
suivi. Ces eehanges cP information doivent etre conformes a cert nines directives qui visent a s'assurer 
que Pinformation recueillie est pertinence pour les activites du CSX et que les bons destinataires la 
regoivent Nous invitons les institutions qui veulent transmettre de Pinformation au CSX a 
communiquer avec Ini avant toute divulgation pour qir il s'assure que son mandat lui permet de 
recueillir Pinformation en toute legal he. Le processus en place comprend dhtlitres mecantsmes 
d’echange cPinformation pour veiller au suivi adequat de Pinformation transmise au CSX. 

Xaimerais egalement souligner de fegon generate qiril ineombe au CSX de proteger la vie privee des 
Canadians et que Porganisms prend cette responsahilite ires au serieux. La protection de la vie privee 
des Canadians est un element fondamentai de ia culture organisationnelle du CSX et fait partie 
integrante des structures, des politiques el des processus organise! ionnels du CSX. Le cadre de 
protection de la vie privee du CSX est ires rigoureux. II comporte des politiques operationnelles 
detaillees, dent des periodes de conservation precises, des exigences de formation et dtexamens 
regnlters sur la conformity et la protection de la vie privee pour le personnel, ainsi que des examens 
internes et externes independents menes par le Bureau du commissaire du CSX. Grace a ces mesures, 
on s'assure que le CSX efifectue ses activites tout en protegeant la vie privee des Canadiens. 


Cordialement, 



G ret a B ossen ma ier 
Chef 


11*1 

Canada 
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Standing Committee on Access to 
Information, Privacy and Ethics 


COMITE PERMANENT DE L’ACCES A 
L’INFORMATION, DE LA PROTECTION DES 
RENSEIGNENIENTS PERSONNELS ET DE L’ETHIQUE 



House of Commons 

ChAMBRE DES COMMUNES 

CANADA 


[PAR COURRIEL] 

2016-12-13 


Greta Bossenmaier, chef 

Centre de la securite des telecommunications 

C.P. 9703, Terminus 

Ottawa, Ontario 

K1G 324 


Madame Bossenmaier, 

Dans le cadre de son etude concernant la Loi surla communication ({'information ayant trait a la 
securite du Canada (LCISC), le Comite permanent de faeces a finformation, de la protection 
des renseignements personnels et de I’efhique souhaite obtenir des precisions quant au mandat 
de votre organisation et son role en vertu de la Loi, 

Comme vous le savez, votre organisme fait partie des institutions federates destinataires selon 
I’annexe 3 de la Loi, 

Plus precisement, le Comite voudrait savoir dans quelle mesure le mandat de votre organisation 
est lie a la securite nationaie, et comment votre organisme entrevoit ses responsabilites en 
vertu de la Lot en tant qu’institution destinataire quant a la collecte. la conservation et la 
communication de renseignements personnels. 

Nous vous serions tres reconnaissants de transmettre au Comite I’information demandee au 
plus tard le vendredi 20 janvier 2017, afin que le Comite puisse en prendre compte lors de la 
reprise de ses travaux a la fin janvier. Au besoin, un representant de votre organisation pourrait 
etre invite a temoigner devant le Comite pour discuter plus amplement de ce sujet. 


Sinceres salutations, 



Blaine Calkins, depute 
president 
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Standing Committee on Access to 
Information, Privacy and Ethics 



House of Commons 
Ckambse des communes 
CANADA 


COMITE PERMANENT DE L’ACCES A 
L’INFORMATION, DE LA PROTECTION DES 
RENSEIGNEMENTS PERSONNELS ET DE L’ETHIQUE 


[BY EMAIL] 

2016-12-13 


Greta Bossenmaier, Chief 
Communications Security Establishment 
C P. 9703, Terminus 
Ottawa, Ontario 
K1G 3Z4 


Dear Ms, Bossenmaier, 

In the context of its study of the Security of Canada Information Sharing Act (SCISA), the 
Standing Committee on Access to Information, Privacy and Ethics is seeking clarification on 
your organization’s mandate and its role with regards to the Act. 

As you know, you are listed as a recipient institution as per Schedule 3 of the Act. 

More precisely, the Committee wishes to know how your organization’s mandate relates to 
national security, and how your organization views its responsibilities under the Act as a 
recipient institution, with respect to the collection, retention, and further disclosure of personal 
information. 

The Committee would appreciate receiving this information by Friday, January 20. 2017, so that 
it can consider your response when it resumes sitting in late January. A representative of your 
organization may be invited to appear before the Committee to discuss the subject matter 
further, if required. 


Best regards, 



Blaine Calkins, MP 
Chair 
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January 27, 2017 
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MEMORANDUM FOR CHIEF CSE 

CSE IM Strategy: Goafs for 2017 and Beyond 
(For Approval) 


Summary 

• A CSE Information Management (IM) Strategy was signed in 2012 by the CSE 
Information Management Senior Official (IMSO), as required by Central Agency at 
the time. The 2012/13 strategy referenced a five year plan that carried the 
organization through to FY 2016/17. 

• A new CSE IM Strategy has been drafted for FY 2017/18-2019/20, Enterprise IM 
Strategy 2017 and Beyond. This strategy seeks to reinvent, modernize and 
innovate how the organization manages its information assets. (Reference 
document: IM Stra t egy 2016 - 2020 .) 

• Approval of this strategy by the Chief, CSE is being sought. Government 
departments are now mandated by Central Agency to have a Deputy-Head 
approved IM Plan. 

• The new IM Strategy was presented to, and endorsed by, the CSE IM/IT Steering 
Committee on 17 October 2016. 


Background 

• Treasury Board expectation is that departments will have a Deputy-Head approved IM 
Plan to demonstrate that IM is integrated as part of organizational business planning 
and complies with GC horizontal priorities. This requirement is regularly assessed in 
the Management Accountability Framework (MAF) for IM/IT Stewardship. 

* Since the current CSE IM Strategy signed in 2012/13 only carries the organization 
through to FY 2016/17, a new IM Strategy has been drafted. This strategy sets out 
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four areas of opportunity which align with CSE overall strategic direction as well as 
Central Agency priorities 1 . Moreover, the strategy incorporates feedback from focus 
group discussions with CSE employees as well as the results of an environmental 
scan of emerging trends for addressing growing IM challenges across industry and 
government. 

• We have identified four key areas of opportunity that will move CSE along the maturity 
curve from proactive to transformational IM. The four areas of opportunity are as 
follows: 


s.15(1) - DEF 


1 . Mature records & Collections Management - This involves managing the 
physical and digital records of the department, identifying possible datasets for 
release through the Government of Canada’s Open Government initiative and 
ensuring adherence to legislative, Treasury Board and Library and Archives 
Canada requirements for organizational recordkeeping. 

2. Information Management Compliance - Establishing a compliance 
monitoring program to hold the organization accountable for its IM practices is 
essential to maturing best practices and establishing pro-active measures to 
address IM accountabilities. A compliance program would reduce our 
exposure to risk and help the organization meet its legal obligations under the 
Access to Information Act and the Privacy Act as well as the policy on 
Management of Government Information. 

3. Best-ln-Class Service Delivery - Growing and modernizing IM services and 
better alignment with mission needs was a theme that resonated with focus 
groups and was proven through a number of pilots conducted with the mission 
in 2016/17. CSE’s IM Advisory Services has resources with over 10 years of 
experience with enterprise document and records management systems who 
could play a leadership role in our growing need shared services and shared 
information in a TS environment; the Library offers a traditional media 
monitoring service 


4. Innovation through Partnership - This involves experimenting with new 
ideas like information valuation, engaging partners on challenging projects like 
building a CSE-wide taxonomy, and finding synergies and economies by 
sharing knowledge, expertise and products related to open source information 
discovery. 


1 The GC’s horizontal priorities are set out in the Treasury Board GC Enterprise IM Strategy and revised Treasury Board 
IM policy suite. Central agency is currently reviewing the GC IM vision and strategy with a view to modernizing IM in 
government. It has four main goals: improving service to Canadians, enabling workforce flexibility & mobility, 
bringing government closer to citizens and business and supporting innovation and collaboration. At the same time that 
Central Agency is updating the GC IM vision and strategy, it is also revising the entire IM policy suite. This revision is 
moving the focus away from basic recordkeeping to treating information as a strategic asset. 
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• Each area of opportunity includes a number of strategic goals that serve to address 
business drivers and describe our desired future state. These goals are supported by 
key activities that identify the specific steps needed to satisfy them. The activities also 
form the basis for a deliverology schedule that accompanies the strategy as Appendix 
B. 

• The IM Strategy was presented to, and endorsed by, the CSE I M/IT Steering 
Committee on 17 October 2016. I M/IT Committee October 17 Draft RoD: 

https://cerrid2.corp.cse/cerrid/llisapi.dll?func=ll&obiaction=overview&obiid=31795991 


Next Steps 

CIO will work closely with a communications representative to share strategy highlights and 
implications with staff. 


Recommendation 

It is recommended that the Chief approve the CSE Enterprise IM Strategy 2017 and 
Beyond. 


A/CIO 
' IMSO 


Reviewed by: 

Director, Information Management 
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IM@CSE - DELIVERING THE INFORMATION ADVANTAGE 


UNCLASSIFIED 



"To manage a business well is 
to manage its future; and to 
manage the future is to 
manage information." 

- Marion Harper Jr. 
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RM'iiiCTlGN 

Information, along with people, finances and infrastructure, are key strategic resources in the Government of 
Canada and is at the very core of CSE's operations. Information is the foundation of everything we do, from 
service delivery and planning activities to decision-making and policy development. 

The quality, reliability and integrity of information are critical to the fulfillment of our mandate, and can only 
be ensured through enterprise-wide information management (IM). CSE's IM Program supports the delivery of 
services across the organization for the protection and security of records throughout the lifecycle, while 
assisting in providing efficient systems for access to the information. 

Because of the sensitivity of our information, it is essential that we have the highest IM standards in place. The 
vast accumulation of information and the added complexity of collaborative ecosystems across the 
intelligence community, nationally and internationally, create challenges for us. We face a fundamental choice 
between being in a constant state of catch-up, and opportunity; implicit in this concept is the idea that we are 
entering a period that requires a transformation in how we manage our information. 

The objectives of this enterprise strategy are dear - acknowledge the value of CSE's information, the 
importance of managing CSE's information at an enterprise level, and the benefits of treating CSE's 
information as a strategic asset. Every employee is responsible for the success of this strategy - regardless of 
role, working level, or business line. As CSE employees, we are the stewards of the information we collect and 
create. It is our duty to safeguard this information as a public trust, and manage it as an asset to maximize its 
value in the service of Canadians. 


■ i n 
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WHERE WE ARE TODAY 

We are well positioned... 


CSE has a mature information management governance structure that provides leadership. This structure is 
clearly articulated in CSE's policy suite which explains the responsibilities, accountabilities, and expectations of 
CSE employees in carrying out IM activities. A culture of evidence-based decision making supports good 
governance by using monitoring and reporting processes as the primary reference for refining existing, and 
planning new, initiatives. 


We have engaged Library and Archives Canada to issue a suite of Records Disposition Authorities that gives us 
the legal right to dispose of our information. To complement these instruments, we have worked with the 
business lines to develop records retention and disposition schedules that describe the types of information 
we have, how long we are required to keep this information, and how we are to dispose of it when the time 

comes. 


Our move from the Confederation Heights Campus to the Edward Drake Building has forced us to reduce our 
paper footprint and adopt healthy practices to minimize office clutter. Paper reduction goals have also been 
met through the digitization of paper documents; in fact, CSE was one of the first departments in the 
Government of Canada to implement such a program. 

For the past decade CSE has kept up with the latest Treasury Board-approved Enterprise Content 
Management (ECM) systems. CERRID ensures standardized electronic document and record management 
across all business lines. A robust training and awareness program that is dedicated to providing a customized 
service supports this system through a number of channels, including in-class training, computer-based 
modules and one-on-one sessions. 


During the 2015-2016 Management Accountability Framework (MAF) assessment period, CSE was evaluated 
on IM and was commended by Treasury Board for its stewardship. CSE completed 100% of planned paper and 
electronic disposition activities, well above the Government of Canada average, and submitted its 
departmental Open Government Implementation Plan. 
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But not without challenges 

While CSE has invested in a designated corporate repository, CERRID, this system does not currently contain 
and manage all of the organization's unstructured electronic information. CSE stores its information in a 
number of formats and distributes them across multiple applications and platforms. This practice complicates 
the search and retrieval process. Moving our holdings into the designated corporate repository will not only 
help curb the negative effects of information overload, it will better support collaboration and evidence-based 
decision making. 

We know that the volume of information we collect and create is growing at an exponential rate, but are we 
ready for it. We are creating 150,000 new documents monthly in CERRID alone. Moreover, a recent inventory 
of our IT infrastructure shows that we have an additional 112 data and information repositories that need to 
be managed. Although the price of digital storage is on the decline in the real world, CSE could invite 
additional costs for surpassing storage quotas under its private sector partner agreement. Keeping 
information longer than we should may also expose the organization to the unnecessary production of stale 
records in response to Access to Information and Privacy (ATIP) requests, as well as prolonged eDiscovery, 

The biggest challenge to achieving the highest level of information management maturity is human. The key to 
success rests squarely on collaboration, coordination, and cooperation. Employees are also looking for more 
lightweight systems to perform their work - systems that mirror what they have in their personal lives. We 
need to strike a balance between traditional time tested practices and newer disciplines that allow 
information to be handled with more flexibility. 



A-2017-00030-00031 



ifVf@CSE - DELIVERING THE INFORMATION ADVANTAGE 


UNCLASSIFIED 


BUSINESS DRIVERS 

Although progress has been made on how we manage information, we need to shift toward realizing and 
sustaining an information advantage for improved business outcomes. The following represents a sample of 
the business-driven IM requirements that need to be addressed and supported by this strategy. 

' V- Driver Legislated Compliance 

Departmental accountabilities, responsibilities and requirements have evolved following the Treasury Board 
refresh of the IM Policy Suite and Strategy for the Government of Canada, as well as changes to Library and 
Archives Canada's direction on documentary heritage. CSE will adapt to these changing requirements by 
ensuring it has the appropriate policies and processes in place. 

' ■ u. ;v lt; Appropriate Collection and Use of Open Source Information Resources 

In order to effectively leverage increasing quantities of publicly available information, CSE must assess its 
current open source information holdings, identify additional information requirements, and ensure 
appropriate governance of the acquisition, management and use of open source collections. The way in which 
open source products and services are produced, managed and delivered must undergo a significant 
transformation. There is a need for innovative, value-added open source products and services that focus on 


S.15(1) - DEF 

M-war Diminished Infnriimiinn Risks 

Complex organizations like CSE require increasingly sophisticated safeguards to prevent security and privacy 
breaches. The workforce must understand and apply proper IM practices for sharing and protecting 
information. It must also exercise its duty to document and its duty to delete. Working in tandem with 
information security, privacy, litigation and IT specialists, we can begin to develop and implement mitigation 
measures to reduce risks and improve the integrity of our information. 



Knowledge Gep 


The knowledge gap manifests itself on multiple levels, from the individual level all the way to the enterprise 
level. CSE is facing a wave of impending retirements of long-tenured experts. As each of these valuable 
resources departs the organization, we need to consider continuity. Moving toward a future where 
information is used to its fullest potential will require training to aid employees, including IM functional 
specialists, in acquiring skills for effective IM. 
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Uala Analytics Imperative 

CSE faces increasing demands from across the enterprise for data analytics solutions to address rapidly 
increasing data volumes. Data literacy will become a core skillset to be embedded throughout the enterprise. 
The need for data analytics permeates the mission with impacts on foreign intelligence analysis, business 
intelligence, global situational awareness, and corporate governance. The need to acquire, process, manage 
and use vast quantities of data, often in real time, will require investment in tools, training and infrastructure; 
the increased importance of open source data will also require that adequate low side infrastructure be in 
place in order to effectively extract value from that data. 

f"i s .... . 

Disruptive Business, Service and lechnalogy Trends 

Trends in IM present opportunities for change and innovation, and these must be seized. To stay relevant, CSE 
must reach out to key partners and devote time and money to experimenting with new approaches and 
technology trends for addressing growing IM challenges. 


Digital Collaboration 

To allow for genuine collaboration across the department and the S&l community, CSE needs to reduce 
information silos, integrate IM practices and automate business processes. CSE must find ways to facilitate 
knowledge sharing and re-uses of existing information resources. In transitioning to fully digital information 
collections, CSE must decrease its paper footprint and enable a collaborative environment in which 
information can be widely accessed. This will involve building and modernizing the Canadian Top Secret 
Network, and assessing opportunities for shared initiatives to strengthen cooperation and realize efficiencies. 
For initiatives with IM implications, CSE will have to determine how it manages responsibility for full 
compliance {i.e. ATIP, IM, records management and legal disclosure obligations being met). 
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WHERE WE WANT TD BE 


Our Vision is to foster an organizational culture where information is safeguarded 
and managed as a shared strategic asset to advance CSE's cyber mission. 


We have identified four key areas of opportunity that will move CSE along the maturity curve from proactive 
to transformational IM. At the end of our journey, we will be able to declare that: 


CSE continues to excel at organizational recordkeeping, embraces the move towards greater openness and 
makes conscious changes in IM practices and investments to improve specific business outcomes, 

WE ARE COMPLIANT; 

CSE has strengthened policy and legislative compliance and holds the organization accountable for its IM 
practices. 

WE ARE SERVICE-ORIENTED: 

CSE offers best-in-class enterprise services to remain relevant from a service offering perspective and also 
aligned to the objectives of the business. 


CSE has engaged key partners to transform its capacity, shifting our philosophical outlook of IM and exploiting 
our information in imaginative ways, 
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H : .'VV WE VVSLL UET THEKii’ 

Each area of opportunity includes a number of strategic goals that serve to address business drivers and 
describe our desired future state. These goals are supported by key activities that identify the specific steps 
needed to satisfy them. The activities also form the basis for an implementation plan that accompanies this 
strategy. 

The timeline below is a high level view of the strategy and how it supports our vision. Goals are categorized by 
level of complexity: 

1. Foundation - meeting our essential IM requirements. 

2. Differentiated - growing our capacity to become more agile with our information. 

3. Innovative - piloting new ideas to transform our IM posture. 


1 


a 


Legislated Compliance 
Appropriate Collection & 
Use of Open Source 



GOALS 


FDUNDATIO 




Records Management 

Open Source Collections Management 

Policy Re-set 

Training & Awareness 

Modernized Library Services 


Diminish Information Risks 
Knowledge Gap 
Digital Collaboration 


DIFFEREN 




Compliance Monitoring Program 
Strategic Advisory Services 
IM Agenda for Joint Initiatives 
Open Source Communities 
Succession Planning 


Data Analytics Imperative 201 
Disruptive Business Services & 
technology Trends 
Diminish Information Risks 


NNOVATIVE 



Open Source InformatidrfDiscovery 

eDiscovery 

Business Intelligence 

Taxonomy 

Valuation 
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Goal 1: Records Management 

Goal 2: Open Source Collections Management 

jivJkTlIITY 2: Compliance 

Goal 3: Policy Reset 

Goa! 4: Compliance Monitoring Program 
Goal 5: Training & Awareness 

OPPORTUNITY 3: Best-ln-Class Service Delivery 

Goal 6: Strategic Advisory Services 

Goal 7: Open Source Information Discovery (OSID) 

Goal 8: Modern Library Services 

Goal 9; eDiscovery 

Goal 10: Business Intelligence 


Goal 11: IM Agenda for Joint Initiatives 
Goal 12: Open Source Communities 
Goal 13: Industry & Academia Touchpoints 
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: r : ' Mature Records & Collections Management 

WE ARE MATURE 

Bringing CSE to a higher level of maturity where policy and legislative requirements are fully met and the 
department has access to high-quality, authoritative information to support its business goals. 



Manage the physical and digital records of the department, identifying possible datasets for release through 
the Government of Canada's Open Government initiative and ensuring adherence to legislative. Treasury 
Board and Library and Archives Canada requirements for organizational recordkeeping. 

KEY ACTIVITIES 

* Create an inventory that identifies and contextualizes CSE's information repositories of business value. 

B Maximize the release of information in support of the Government's Open Government initiative, subject 
to valid security and privacy exceptions. 

■ Identify key areas of risk to CSE's information resources and implement mitigation strategies. 

* Increase disposition on structured data in corporate databases. 

■ Streamline processes for managing and transferring records of archival value. 

■ Continue digitization initiatives. 



Enhance traditional library services to better align with corporate and mission objectives and to optimize the 
department's open-source collections. 

KEY ACTIVITIES 

B Issue a collection development policy that sets out well-defined criteria for inclusion in CSE's open source 
collections. 

* Acquire and sustainably manage commercial electronic resources that are targeted to the various CSE 
communities. 

■ Upgrade the library's cataloguing software to enable federated searching across the Tutte Institute for 
Mathematics and Computing (TIMC) and the corporate library collections. 

■ Enhance the user interface and promote the broader use of CSE's open source information resources. 



A-2017-00030-00037 
























!M@CSE - DELIVERING THE INFORMATION ADVANTAGE 


UNCLASSIFIED 


1 : Compliance 



Strengthening policy and legislative compliance by implementing renewed policies, performing a 
monitoring and reporting function, and revamping the training program. 



; Policy Reset 


Create a cohesive IM policy suite to ensure consistency and proper alignment with CSE and Government of 
Canada direction. 


KEY ACTIVITIES 

18 Review, update and consolidate IM policies. 

* Address policy gaps e.g. Open Government obligations, process for departing employees, eDiscovery, 
Open Source Information Discovery activities, etc. 



Cnmplinnce Monitoring Program 


Establish a compliance monitoring function in IM whereby information systems and settings would be actively 
monitored for policy compliance. 


KEY ACTIVITIES 

B Identify theme activities for assessing compliance with Treasury Board and departmental IM policies and 
follow-up actions for non-compliance. 

8 Establish governance for the program to include key accountabilities and responsibilities within CSE with 
respect to the monitoring process as well as reporting requirements. 

" Conduct a pilot project involving a chosen business line. 


. a .1: Training B Awareness 

Strengthen employee understanding of their individual accountabilities, and drive awareness and change 
within the culture ofthe business lines. 


KEY ACTIVITIES 

B Develop and implement a mandatory IM awareness session for all CSE employees. 

■ Make better use of IM didactic material available across Government for internal re-use. 


1 . M 
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1M@CSE - DELIVERING THE INFORMATION ADVANTAGE 


UNCLASSIFIED 


lEst-ln-Class Service Delivery 


m 


E ARE SERVICE-ORIENTED 


Reaching new levels of excellence by growing and modernizing existing services and introducing new 
services. 



: Strategic Advisory Services 


Provide insight and guidance at a strategic level to strengthen internal IM governance and promote CSE's role 
as a leading expert of Government of Canada IM solutions in the top secret environment. 


KEY ACTIVITIES 

0 Continue conducting digital disposition activities on unstructured data and institutionalize best practices 
through policy, training & awareness and/or compliance monitoring. 

* Enhance CSE's information architecture by ensuring tools, systems and technical solutions implement 
enterprise IM requirements. 

■ Pioneer the role of the Data Steward. 



: Open Source Information Discovery (DSID) 


Expand the role of OSID to serve as an S&l community centre of excellence for the analysis, reporting and 
dissemination of products and services derived from OS information, and to effectively organize the 
acquisition and management of OS information, resources and tools. 


* Assess and acquire a variety of OS tools and data sets. 


■ Develop innovative products and service delivery options. 

■ Develop OSID tradecraft and techniques. 

m 
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UNCLASSIFIED 


OPPORTUNITY 3: Best-In-Class Service Delivery 


WE ARE SERVICE-ORIENTED 


Reaching new levels of excellence by growing and modernizing existing services and introducing new 
services. 


. D .1: Modern Library Services 

Connect employees with the Open Source electronic and print information they need to be successful in their 
work through in-depth research, annotated bibliographies and a modern online presence. 

KEY ACTIVITIES 

* Implement enhanced processes and/or systems to better gather, track and analyze client requirements for 
open source research and material. 

* Enhance research products by leveraging OSID tools and optimize dissemination platforms. 


._.1 : eDiscovery 

Introduce an in-house expertise capable of performing electronic searches across all information systems in 
support of access to information and litigation requests, which will allow the department to execute discovery 
consistently and increase the level of quality control. 



* Codify the processes for identifying information that must be produced for access to information or 
litigation purposes. 

* Implement a new capability to perform searches across the increasingly complex technology and 
application infrastructure at CSE. 



: Business Intelligence (Bl) 


Develop a modern Bl service by creating a holistic approach that leverages technical innovations, data 
analytics, and user engagement. 


KEY ACTIVITIES 

• Assess and document existing Bl initiatives within CSE. 

* Develop a strategic overview of emerging Bl trends and standards. 

■ Explore a proper governance model, innovative analytic solutions, and integrated information 
management. 
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Innovation Through Partnership 

WEAREUNKED 

Unlocking transformational change by engaging other government departments, 5-Eyes and private sector 
partners to leverage lessons learned, collaborate on initiatives and keep up-to-date on latest industry 
trends. 


Engage with CSIS in ongoing bilateral knowledge sharing and work collaboratively with Government of Canada 
departments that are involved in rolling out shared services to ensure desirable features can be leveraged by 
CSE as well as OGD's IM and records management programs. 

KEY ACTIVITIES 

■ Continue working with CSIS under the auspices of Integrated Internal Services Working Groups. 

B Explore a for OS collections. 

a Champion the adoption of and partner with on piloting 

configurations (e.g. Auto-classification, eDiscovery Rights). 

8 Participate in other centrally coordinated working groups to influence technical developments related to 
IM (e.g. MyGCHR). 


12 1 M :! 

Actively develop a network of national and international partnerships in the Open Source information space. 


:v a i 


IVITIES 


0 Nationally, stand up an active community of interest focused on sharing OS expertise and products by 
leveraging expertise of These partners will 

form the core of a working group. 

■ Internationally, take advantage of the International Open Source Working Group (IOSWG) to 


. m 
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UNCLASSIFIED 


Innovation Through Partnership 

WE ARE LINKED 

Unlocking transformational change by engaging other government departments, 5-Eyes and private sector 
partners to leverage lessons learned, collaborate on initiatives and keep up-to-date on latest industry 
trends. 


13 

Partner with industry and academia to keep abreast of the latest trends and thinking and help evolve CSE's IM 

practices. 

KEY ACTIVITIES 

“ Explore approaches and tools for implementing a CSE taxonomy. 

* Explore a sustainable and whole-of-system approach to the valuation of CSE information assets. 

* Work with vendors on tools development. 

* Develop an academic outreach program for IM/RM succession planning and strategic advancements. 


. ■ 
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UNCLASSIFIED 


Records Manaqement 


KEY ACTIVITY OUTCOME PERFORMANCE INDICATOR 


* Create an inventory that 
identifies and contextualizes 
CSE's information of business 
value. 

* CSE has an inventory that enables 
sound decision making, services, 
ongoing reporting and answers 
performance and accountability 
requirements. 

8 Increased use of the inventory across 
the organization. 

8 Maximize the release of 
information in support of the 
Government's Open 

Government initiative, subject 
to valid security and privacy 
exceptions. 

® A drive for openness that is 
embedded in CSE culture and 
processes. 

8 CSE contributes to the Open Data 
Dialogue through the release of data 
sets and transfers of information 
resources of enduring value (IREV). 

8 Inventory of data and information 
resources of business value is 
complete and current. 

8 Public releases of CSE datasets and 
information resources on 
open.canadaxa increase yearly in 
accordance with TBS direction. 

K CSE has maximized the removal of 
access restrictions on departmental 
IREV prior to transfer to LAC. 

m Identify key areas of risk to 

CSE's information resources 
and implement mitigation 
strategies. 

8 Information that is essential to 
running our business is available in 
the face of physical or technological 
disaster. 

» There is an established risk register 
for identifying risks to information 
resources and creating risk profiles 
specific to iRBVs. 

** Personal information is retained and 
disposed of to meet Privacy Act and 
Access to Information and Privacy 
(ATIP) requirements, 

* Appropriate use of system access 
permissions and classification. 

8 Essential records are identified and 
protected. 

8 Inappropriate or inadvertent 
information disclosures or loss 
incidents are minimized. 

* increase disposition on 
structured data in corporate 
databases. 

** Increase In accountability to TBS and 
LAC on the disposition of corporate 
information, 

18 ATIP and litigation risks diminish. 

8 Automated disposition capabilities 
are included in new systems. 

* Streamline processes for 
managing and transferring 
records of archival value. 

* LAC policy requirements for 
documentary heritage are met. 

** Records disposition authorities 
(RDAs) are current 

* CSE manages born-digital 
information. 

8 Declassification/downgrading 
program and/or policies are 
established, 

i 8 Current RDAs are updated and 

integrating into a single document. 

8 CSE has implemented a formal 
program to manage born-digital 
information. 

1 Continue digitization 
initiatives. 

* Reduce our physical footprint and 
modernize processes, 

8 Increased searchability of 
information holdings. 

8 Physical space occupied decreases. 

8 Reduced search time for information 
retrieval. 


il ■ ■ 
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UNCLASSIFIED 


KEY ACTIVITY 


s Issue a collection 

development policy that sets 
out well-defined criteria for 
inclusion in CSE's open source 
collections. 


■ Acquire and sustainably 

manage commercial electronic 
resources that are targeted to 
the various CSE communities. 


8 Upgrade the library's 
cataloguing software to 
enable federated searching 
across the TIMC and the 
corporate library collections, 

8 Enhance the user interface 
and promote the broader use 
of CSE's open source 
information resources. 



CERRID 31202803 


m ; Management Open Source Collections Management 

OUTCOME : PERFORMANCE INDICATOR 


* CSE has an open source collection 
that precisely links to CSEs 
mandates. 

85 Loans as a percentage of the 
collection increase by 20%, 

* Funds are accountably spent and 
budget has flexibility embedded. The 
value for dollars for the collection is 
made apparent. 

* Usage metrics for the commercial 
resources is monitored and all seats 
are in use. 

• Both CSE library catalogues can be 
searched in one place. 

* Number of library requests that 

originate in the catalogue increase by 
15%, 

» Information resources for the 

enterprise are easy to find, use and 
share. 

18 Every resource sees an increase in 
page views. 
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UNCLASSIFIED 


Policy Reset 


KEY ACTIVITY 


OUTCOME 


PERFORMANCE INDICATOR 


s Review, update and 
consolidate IM policies. 

" Consistent management of CSE 
information. 

8 Address policy gaps e.g. Open 
Government obligations, 
process for departing 
employees, eDiscovery, Open 
Source information Discovery 
activities, etc. 

“ All IM requirements are covered by 
policy. 


Targeted IM behaviour improves by 
10 %, 


Annual policy gap analysis shows 
diminished gaps from previous year. 


ice Compliance Monitoring Program 


KEY ACTIVITY 


PERFORMANCE INDICATOR 


8 Identify theme activities for 

18 Compliance plan that identifies 

assessing compliance with 
Treasury Board and 
departmental IM policies and 
follow-up actions for non- 

| compliance. 

! 

theme activities. 

* Establish governance for the 

1 program to include key 

* Governance model is in place. 

accountabilities and 


responsibilities within CSE 
with respect to the auditing 
and monitoring processes as 

1 well as reporting 


1 requirements. 

1 13 Conduct a pilot project with a 

8 A business line is subject to 

| chosen business line, 

1 

1 

monitoring of one theme activity for 
a six month period. 


Plan complete and in place by target 
date. 

With plan complete, able to move to 
the next step, governance. 


Policy instrument issued and 
promulgated to support !M 
monitoring and reporting. 


Reporting results in behavioural 
change. 


Training 5 Awareness 


KEY ACTIVITY 


OUTCOME 


PERFORMANCE INDICATOR 


8 Develop and implement a 
mandatory IM awareness 
session for all CSE employees. 

8 Employees are informed of their IM 
responsibilities. 

" Make better use of IM didactic 
material available across 
Government for internal re¬ 
use. 

18 CSE spends less time creating 

material and reuses what is available 
from OGDs. 


Percentage of employees trained 
achieves and stays over 90%, 


Percentage of new versus reused 
material. Reused material exceeds 
50%. 
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UNCLASSIFIED 


Best-ln-Class Service Delivery Strategic Advisory Services 
BBiirat 


OUTCOME 


PERFORMANCE IND1CATO 


8 Continue conducting digital 
disposition activities on 
unstructured data and 
institutionalize best practices 
through policy, training & 
awareness and/or compliance 
monitoring. 

s CSE employees perform their 
information lifecycle duties 
delegated to them from the Policy 
on Information Management. 

8 Increase of finalized documents 
within the corporate repository. 

* Enhance CSE's information 
architecture by ensuring tools, 
systems and technical 
solutions implement 
| enterprise IM requirements. 

» Information management is 

integrated into tools, systems and 
technical solutions. 

* Principles of reuse and information 
authority are adhered to. 

* All new business requirements 

documentation includes information 
management requirements as 
identified by TBS for the IRBV 
inventory. 

| 88 Pioneer the role of the Data 
Steward. 

81 Improved IM across the 
organization. 

* Data Stewards deliver tailored 

service to meet specific client needs. 

8 Reduction in HPSM tickets 
requesting IM assistance. 


Best-ln-Class Service Delivery Open Source Information Discovery (DSID) 





PERFORMANCE INDICATOR 


18 Assess and acquire a variety of 

OS tools and data sets. 

* An inventory of robust analytic tools 
and a wide range of open source 
information resources are in place. 

« Tools are assessed against a set of 
established performance criteria. 

* At least two analytic tools are 

procured and In use by target date. 



* Develop Innovative 

products and service 
delivery options. 

* Reporting available in multiple 
formats across different platforms. 

85 Three kinds of reporting templates in 
active use: 

Ongoing Topic Briefs, and 

Deep Dive Research Papers. 

8 Products available via an OSID 
dedicated portal and at least one 
other delivery method. Some 
products 

8 Develop OSID tradecraft and 
techniques. 

* OSID team is a center of analytic 
excellence for open source 
information acquisition, collation, 
synthesis, analysis and dissemination 
tradecraft. 

« An OSID Analysts Handbook is 
produced and kept up to date with 
analytic tradecraft, training tips and 
best practices. 



i 


■ 
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UNCLASSIFIED 


est-ln-Class Service Delivery - Modern Library Services 


KEY ACTIVITY | 

lijJTCOME | 

1 PERFORMANCE INDICATOR 

8 Implement enhanced 

processes and/or systems to 
better gather, track and 
analyze client requirements 
for open source research and 
material. 

8 The library is familiar with their 
clients and monitors all requests. 

8 Management is made aware of the 
requests being completed. 

8 Monthly metric reports on client 
requests completed. 

8 Enhance research products by 
leveraging OSID tools and 
optimize dissemination 
platforms. 

8 The library’s products are improved, 
promoted and at the fingertips of 
analysts. 

8 Products viewed 20% more. 

Best-ln-Class Service Deli 

very - eDiscovery 


KEY ACTIVITY | 

OUTCOME | 

PERFORMANCE INDICATOR 

8 Codify the processes for 
identifying information that 
must be produced for access 
to information or litigation 
purposes. 

8 Appropriate information is produced 
with consistency, security and 
confidentiality. 

8 Reduced resources and time spent in 
eDiscovery, 

1 8 CSE processes are consistent and 
auditable. 

* Implement a new capability to 
perform searches across the 
increasingly complex 
technology and application 
infrastructure at CSE. 

8 Legally defensible and auditable 
controls are in place. 

8 Legal hold capability exists across 
the enterprise. 

8 Ability to collect forensics evidence 
and demonstrate compliance. 


Best-ln-Class Service Delivery Business Intelligence 


KEY ACTIVITY I OUTCOME I PERFORMANCE INDICATOR 


« A broad understanding of B! 
activities across the enterprise. 


8 Ability to assess the level of Bi 8 A report on 81 standards is 

maturity across C$£, produced, complete with 

recommendations for 
implementation. 


Foundational strategy in place for 8 A comprehensive 81 strategy 

the implementation of enterprise- prepared and presented to IM/IT SC, 

wide 81. 

■■ ■ ■ 
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A consolidated report detailing all 
current and currently proposed Bl 
initiatives is produced. 


8 Assess and document existing 
Bl initiatives within €$E. 


8 Develop a strategic overview 
of emerging Bl trends and 
standards. 


8 Explore a proper governance 
model, innovative analytic 
solutions, and Integrated 
information management. 
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p> „ , , , s.21 (1 )(b) 

i n ii: j ih u - IM Agenda for Joint Initiatives 


KEY ACTIVITY OUTCOME PERFORMANCE INDICATOR! 


8 Continue working with CSIS 
under the auspices of 

Integrated internal Services 
Working Groups. 

B Opportunities are assessed and 
implemented to strengthen 
cooperation, collaboration and 
realize efficiencies. 

0 A detailed analysis (he. value 
proposition, impact and 
implementation) and 
recommendations on IM-related 
potential shared service initiatives, 
such as RM, data management, 
archival services, library services, 
etc. is completed. 

* Explore a 

for OS 

collections. 

8 CSE and CSIS have a joint vision for 

OS collections. 

8 An options analysis for the 

of 0$ collections is 
complete and a decision reached. 

• Champion the adoption of 
and 

partner with on 

piloting 

configurations (e.g, Auto- 
classification, ©Discovery 

Rights). 

0 A strong partnership with 

aligns our platforms for 
a common approach. 

** Evaluation of 
capabilities. 

• Quarterly meetings with on 

specific agenda items. 

* Participate in other centrally 
coordinated working groups to 
influence technical 
developments related to IM 
(e.g. MyGCHR). 

s IM Requirements are built into new 
applications. 

8 Regular meetings with relevant 
stakeholders. 


KEY ACTIVITY 


Open Source Communities 

OUTCOME 


PERFORMANCE INDICATOR 


8 Nationally, stand up an active 
community of interest focused 
on sharing OS expertise and 
products by leveraging 
expertise of 

These 

partners will form the core of 
a working group. 

8 Closer collaboration between 
agencies. 

8 Internationally, take 

advantage of the International 
Open Source Working Group 
(IOSWG) to 

0 Analytic knowledge transfer and 
increased CSE capabilities. 


The CO! meets at least twice a year. 


Increased contributions of CSE 
products to 

Team members make presentations 
to both IOSWG events every year. 
An international integree is 
embedded within the OSID team for 
at least six months. 
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ndustry S Academia Touchpoints 


KEY ACTIVrrY OUTCOME performance indicator 


Explore approaches and tools 
for implementing a CSE 
taxonomy. 

88 Recommendation on a CSE 
taxonomy. 

* Development of white paper is 
monitored. 

* Explore a sustainable and 
whole-of-system approach to 
the valuation of CSE 
information assets. 

* A valuation approach that allows CSE 
to categorize its information assets, 
potentially reduce inventory carry 
costs, and help prioritize and budget 
IT/business initiatives. 

K A proposed method of measuring 
information quality and value 
characteristics. 

* A process for performing, reviewing, 
and communicating information 
asset valuation assessments. 

• Work with vendors on tools 
development. 

* Vendors have implemented desired 
features. 

I 

* The team identifies at least two 
opportunities for tool development, 
such as improved auditing function 
in analytic tools, and works directly 
with the vendor to enhance 
capabilities. 

* Develop an academic outreach 
program for IM/RM succession 
planning and strategic 
advancements. 

* 1M succession planning and strategic 
advancements is improved, 

1 

• Biannual meetings with academic 
partners, 

1 _ 


■ 
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Date: 


Director, Information Management (CIO-E) 


Date: 


Acting Deputy Chief - Chief Information Officer (CIO) 
Information Management Senior Official (IMSO) 



Greta Bossenmaier 

Chief, Communications Security Establishment 


Date: 


zn 0 6 2017 
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■ ■ Communications Security 

■ ! ■ Establishment Canada 


Centre de la securite 

des telecommunications Canada 



TOP SECRET//SI//CEO 

Cerrid # 33204488 
ECT# 17-26286 


CSE - CSIS Update to the National Security Advisor 

(For Approval) 


Summary 

• Attached for your signature is a letter to the National Security Advisor, developed 
jointly by CSE and CSIS, to provide an update on the ongoing collaborative work 
between our two agencies. 

• The letter has been approved at the ADM level at both agencies. 

• Upon your signature, the letter will be provided to Director Coulombe for signature 
and then provided to the NSA. 


Dominic Rochon 

Deputy Chief, Policy and Communications 



Canada 
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CCM#: 25675 CERRID #: 31292832 

MEMORANDUM TO THE NATIONAL SECURITY ADVISOR 
CSE-CSIS COLLABORATION 



ISSUE: 


To provide an overview of current priority areas of collaboration between the Canadian Security 
Intelligence Service (CSIS) and the Communications Security Establishment (CSE). 

BACKGROUND : 

CSIS and CSE have common national security goals and share a number of challenges in keeping 
Canada, Canadians and Canadian interests safe and secure. The two agencies continue to work 
collaboratively in accordance with our respective mandates and legislative authorities to effectively 
fulfill the government's national security intelligence requirements. 

The CSE-CSIS Joint Management Team (JMT) - a group comprised of members of both Executive 
Committees - is the agencies' senior forum for setting priority activities for cooperation and addressing 
issues of mutual interest. The JMT is supported by four ADM-level sub-groups that meet as required, 
specifically the Operational, Cyber, Corporate, and Integrated Internal Services JMT Pillars. 

AREAS OF COLLABORATION: 


Operational Pillar 

CSIS and CSE have recently set strategic directions to lead them through the next five years, and 
are well aligned to with common priorities in and shared services. Over 

recent months, CSE has 


The passage of Bills C-44 and C-51 has required an evolution of the agencies' policy instruments 
and work continues on the implementation of these changes. Bill C-44 has allowed CSE to support CSIS 
more effectively in the pursuit of Canadian targets, predominantly outside Canada. At present, CSE is 
providing assistance on 


Bill C-51 has opened a new area of collaboration between the agencies - threat reduction - and 
a Memorandum of Understanding was signed in June 2016 to guide this collaboration. 
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The agencies continue to mature collaboration 


with designated partners 


CSE and CSIS have been working together on advancing relations 


In addition to the above, there are other established areas of collaboration and personnel 
exchange. For example, 

Collaborative work 

is underway to to reduce the likelihood of duplication. 


Other areas of 


collaboration include 

In addition, through standing requests for assistance, CSIS takes advantage of CSE's 
technical capabilities 


Cyber Pillar 

The agencies created a distinct Pillar for cyber to reflect the importance placed on cyber issues 

and ensure they are addressed on a regular basis. < 


structure 


The agencies have also developed a governance 
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Moving forward, CSIS and CSE will prioritize cyber engagement 


We are also enhancing collaboration in the 


Corporate Pillar 

Corporate collaboration between CSIS and CSE spans the policy, communications, finance, 
human resources, 

and these counterparts meet regularly. Domestically, we collaborated closely 

The agencies are also currently 

Moving forward, we plan to coordinate on how to best support the 
National Security and Intelligence Committee of Parliamentarians, and to implement any policy, legal, or 
operational changes required as a result of possible amendments to Bill C-51. 

Internationally, the agencies coordinated on travel to Five Eyes countries, namely to attend and 
deliver joint remarks at the meeting that took place 

and to meet with our partners to 

discuss multi-agency collaboration. Recently, we also jointly hosted a CIO forum which proved 

to be very successful. 

Being co-located continues to benefit the agencies' relationship-building and cultural awareness 
efforts. We frequently extend invitations for events and host joint CSE-CSIS gatherings such as GCWCC 
events and an annual CSE-CSIS volleyball tournament. Our proximity also encourages collaboration on 
internal communications, for example our recent communication 

and we liaise on public communications such as our respective Twitter accounts. 

Integrated Internal Services Pillar 

Integrated Internal Services (IIS) is an initiative that was launched in March 2016 that will allow 
CSE and CSIS to become more resilient within a joint community by leveraging best practices for internal 
services and building on each other's strengths. Co-location has seen areas for collaboration naturally 
arise, to official languages, 

Further, the agencies have begun 12-month pilots in the materiel management, and 

finance domains, during which a small number of participating employees are moving from one 
organization to the other, providing services to both. 

A second wave of pilots to begin this year will cover further areas within finance, as 

well as areas in procurement, emergency management, and communications. One specific example of 
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an IIS initiative is the plan to shift to a single Enterprise Resource Planning System to support financial 
and Asset management at both agencies, which will replace some of our financial, 

procurement and asset management legacy applications. 

We trust that you will find this overview of our collaboration to be a helpful contribution. As 
always, please do not hesitate to contact us should you require further information. 


Greta Bossenmaier 
Chief, CSE 


Michel Coulombe 
Director, CSIS 


4 


A-2017-00030-00056 



